CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-33251
https://notcve.org/view.php?id=CVE-2023-33251
21 May 2023 — When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar issue to CVE-2022-41946. • https://akka.io/security/akka-http-cve-2023-05-15.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31442
https://notcve.org/view.php?id=CVE-2023-31442
11 May 2023 — In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If such validation... • https://akka.io/security/akka-async-dns-2023-31442.html •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-23339 – HTTP Request Smuggling
https://notcve.org/view.php?id=CVE-2021-23339
17 Feb 2021 — This affects all versions before 10.1.14 and from 10.2.0 to 10.2.4 of package com.typesafe.akka:akka-http-core. It allows multiple Transfer-Encoding headers. Esto afecta a todas las versiones anteriores a 10.1.14 y desde la versión 10.2.0 a la versión 10.2.4 del paquete com.typesafe.akka:akka-http-core. Este permite múltiples encabezados Transfer-Encoding • https://github.com/akka/akka-http/pull/3754%23issuecomment-779265201 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.8EPSS: 1%CPEs: 2EXPL: 0CVE-2018-16131
https://notcve.org/view.php?id=CVE-2018-16131
30 Aug 2018 — The decodeRequest and decodeRequestWith directives in Lightbend Akka HTTP 10.1.x through 10.1.4 and 10.0.x through 10.0.13 allow remote attackers to cause a denial of service (memory consumption and daemon crash) via a ZIP bomb. Las directivas decodeRequest y decodeRequestWith en Lightbend Akka HTTP, desde las versiones 10.1.x hasta la 10.1.4 y versiones 10.0.x hasta la 10.0.13 permiten que atacantes remotos provoquen una denegación de servicio (consumo de memoria y cierre inesperado del demonio) mediante u... • https://akka.io/blog/news/2018/08/30/akka-http-dos-vulnerability-found • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16115
https://notcve.org/view.php?id=CVE-2018-16115
29 Aug 2018 — Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in Akka Remoting for TLS (both classic and Artery Remoting). Akka allows configuration of custom random number generators. For historical reasons, Akka included the AES128CounterSecureRNG and AES256CounterSecureRNG random number generators. The implementations had a bug that caused the generated numbers to be repeated after only a few bytes. • https://doc.akka.io/docs/akka/current/security/2018-08-29-aes-rng.html • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •